CVE-2026-6521
OpenFlow v5 Protocol Infinite Loop in Wireshark
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wireshark | wireshark | From 4.4.0 (inc) to 4.4.14 (inc) |
| wireshark | wireshark | From 4.6.0 (inc) to 4.6.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6521 is a vulnerability in the OpenFlow v5 protocol dissector of Wireshark versions 4.4.0 to 4.4.14 and 4.6.0 to 4.6.4. It involves infinite loops caused by improper handling of malformed OpenFlow v5 packets.
Specifically, the vulnerability arises in two functions: one in the property-parsing loop for the tablemod property where a missing anti-infinite-loop guard causes the loop to never exit when processing malformed packets with invalid property lengths, and another in the action parser where zero-length actions cause the offset to reset repeatedly, creating an infinite loop.
These infinite loops cause Wireshark or TShark to crash or enter a denial-of-service state by consuming excessive CPU resources when analyzing crafted malicious packets.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker who injects a malformed OpenFlow v5 packet or tricks a user into opening a malicious packet capture file.
When triggered, it causes Wireshark or TShark to enter an infinite loop, leading to excessive CPU consumption and potentially crashing the application.
The impact is a denial-of-service (DoS) condition on the system running Wireshark, which could disrupt network analysis or monitoring activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing network traffic for malformed OpenFlow v5 packets that trigger infinite loops in Wireshark's dissector. Specifically, crafted packets with malformed properties or zero-length actions can cause denial of service when processed.
A practical way to detect the vulnerability is to use TShark to analyze a specially crafted PCAP file that contains the malformed OpenFlow v5 packets. Running TShark on such a file can reproduce the crash or DoS condition, indicating the presence of the vulnerability.
Example command to reproduce the issue using TShark with a crafted PCAP file (e.g., poc_openflow_v5.pcapng):
- tshark -r poc_openflow_v5.pcapng
This command processes the PCAP file and will demonstrate the infinite loop or crash if the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Wireshark to a version that contains the fix for this vulnerability. Specifically, users should upgrade to Wireshark versions 4.6.5 or 4.4.15 or later.
Avoid opening untrusted or suspicious packet capture files that may contain malformed OpenFlow v5 packets, as these can trigger the vulnerability.
If upgrading immediately is not possible, consider restricting access to Wireshark or TShark on systems that analyze OpenFlow v5 traffic to trusted users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details on how the CVE-2026-6521 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.